Splunk SDK for Java command line examples

You can start getting familiar with the Splunk SDK for Java by running the command-line examples that came with the SDK.

After you build the SDK, examples are placed in the /splunk-sdk-java/dist/examples directory. To run the examples, run the Java interpreter at the command line using the -jar flag to specify the target example jar file, and include any arguments that are required by the example:

If you saved your login credentials in the .splunkrc file, you can omit those arguments:

java -jar <examplename>.jar

To get help for an example, use the --help argument with an example:

java -jar examplename.jar --help

A helper script called run in the /splunk-sdk-java directory simplifies running the SDK examples. For example, on *nix you can simply enter:

./run <examplename>

Run examples

Here are some different command-line examples to show how to use the SDK examples using the run helper script. Make sure Splunk is running, and then open a command prompt in the /splunk-sdk-java directory.

Work with data indexes

The index.jar example lets you work with the indexes that store your Splunk Enterprise data. When you run the index.jar example with no arguments, it lists all indexes along with the number of events in each:

./run index

You can also specify an action (clean, enable, disable) to perform on a specific index. This shows how to clean the "summary" index:

./run index clean summary

Display Splunk system info

The info.jar example takes no arguments and simply prints system information about your Splunk Enterprise instance to the console:

./run info

Export indexed events to a file

The export.jar example takes events from an index and saves them to a hard-coded file, export.out, in the current working directory. The default format is CSV, but you can also specify XML or JSON. If an export.out file already exists, an exception is thrown unless you use the recover argument (more on that below).

This exports the "main" index:

./run export main

You can use a search string to filter the events that are exported:

./run export main --search="search sourcetype=access_*"

To change the output format, you can specify XML, JSON, or CSV:

./run export main --search="search sourcetype=access_*" json

The recover argument is used to continue exporting the index where you left off, if for some reason the process was interrupted. Using recover restarts the export process and only new events are added at the top of the file:

./run export main recover

Run GET commands for Splunk Enterprise REST API endpoints

The spurl.jar example runs a GET command for any endpoint in the Splunk REST API, and returns the Atom Feed response. These examples use two different endpoints:

./run spurl /services/data/indexes

./run spurl /services/saved/searches

Display events as they are indexed

The tail.jar example prints events to the console as they are indexed (the "tail" of a real-time search), and you can specify an output format. For example, this command prints incoming events to the "twitter" index in XML format:

./run tail "search index=twitter" --format=xml

Generate sample events for testing

The genevents.jar example is a simple event generator that writes 50,000 short time-stamped events to a specified index. For example, this adds events to the "main" index:

./run genevents main

Use genevents.jar for testing when you need a bunch of events. For example, you can use genevents.jar with the tail.jar example to display events as they are received in a "test" index. Open two command prompt windows. In one, enter:

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »